@@ -721,10 +721,22 @@ func validateCondValue(cond string) error {
721721 }
722722
723723 lower := strings .ToLower (cond )
724- if ! strings .HasPrefix (lower , "@if( " ) && ! strings .HasPrefix (lower , "@filter( " ) {
724+ if ! strings .HasPrefix (lower , "@if" ) && ! strings .HasPrefix (lower , "@filter" ) {
725725 return errors .Errorf ("invalid cond value: must start with @if( or @filter(" )
726726 }
727727
728+ // Strip the directive prefix and verify the remainder (after optional whitespace) starts with '('.
729+ prefix := "@if"
730+ if strings .HasPrefix (lower , "@filter" ) {
731+ prefix = "@filter"
732+ }
733+ rest := strings .TrimSpace (cond [len (prefix ):])
734+ if len (rest ) == 0 || rest [0 ] != '(' {
735+ return errors .Errorf ("invalid cond value: must start with @if( or @filter(" )
736+ }
737+ // Rebuild cond without the space so the paren-balancing logic works on the normalized form.
738+ cond = prefix + rest
739+
728740 openIdx := strings .Index (cond , "(" )
729741 if openIdx == - 1 {
730742 return errors .Errorf ("invalid cond value: missing opening parenthesis" )
@@ -781,6 +793,7 @@ var valVarRegexp = regexp.MustCompile(`^val\([a-zA-Z_][a-zA-Z0-9_.]*\)$`)
781793// validateValObjectId checks that an ObjectId starting with "val(" is a well-formed
782794// val(variableName) reference and contains no injected DQL syntax.
783795func validateValObjectId (objectId string ) error {
796+ objectId = strings .TrimSpace (objectId )
784797 if ! valVarRegexp .MatchString (objectId ) {
785798 return errors .Errorf ("invalid val() reference in ObjectId: %q" , objectId )
786799 }
@@ -792,6 +805,7 @@ var langTagRegexp = regexp.MustCompile(`^[a-zA-Z]+(-[a-zA-Z0-9]+)*$`)
792805
793806// validateLangTag checks that a language tag contains only safe characters.
794807func validateLangTag (lang string ) error {
808+ lang = strings .TrimSpace (lang )
795809 if lang == "" {
796810 return nil
797811 }
0 commit comments